Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why is there a private RSA key in this repository? #43

Open
jrddunbr opened this issue May 25, 2018 · 1 comment
Open

Why is there a private RSA key in this repository? #43

jrddunbr opened this issue May 25, 2018 · 1 comment

Comments

@jrddunbr
Copy link

I have not looked into how this code works, as I don't personally use Docker for anything at the moment, but a friend mentioned this repository to me, and when I saw the id_rsa file, I couldn't help myself but create an issue. I can imagine no scenario where having an RSA private key in the wild for something that someone may use for production is a good idea.

You mention in the readme:

The Docker-SSH container comes with a default RSA key that will be used.

Is that not bad security practice? I mean, in most situations when someone would use this, it's not going to be publicly accessible, but is that really a smart idea to have a default security key for anything in the first place? You even discourage people from setting up no authentication in the readme (and mention that it will log every event in that case):

This mechanism is nevertheless discouraged and should be used with care! The use of this authentication mechanism will create an error entry in the log.

Why not generate the key on setup; many systems have the required system packages in place.

@jeroenpeeters
Copy link
Owner

Very good point. I did this for convenience, but generating a key on startup is indeed a much better idea!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants